CVE-2025-7699: CWE-287 Improper Authentication in ASUSTOR ADM
An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter of the HTTP request. Attackers can exploit this flaw to access files outside their authorized scope, provided the file has readable permissions for other users on the underlying OS. This can lead to unauthorized exposure of sensitive data. Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier.
CVE-2025-7699: CWE-287 Improper Authentication in ASUSTOR ADM
Description
An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter of the HTTP request. Attackers can exploit this flaw to access files outside their authorized scope, provided the file has readable permissions for other users on the underlying OS. This can lead to unauthorized exposure of sensitive data. Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- ASUSTOR1
- Date Reserved
- 2025-07-16T03:13:18.895Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68777867a83201eaacd9257c
Added to database: 7/16/2025, 10:01:11 AM
Last updated: 7/16/2025, 10:01:11 AM
Views: 1
Related Threats
CVE-2025-40985: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SCATI SCATI Vision Web
HighCVE-2025-22227: Vulnerability in VMware Reactor Netty
MediumCVE-2025-7035: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dglingren Media Library Assistant
MediumCVE-2025-6993: CWE-862 Missing Authorization in rustaurius Ultimate WP Mail
HighCVE-2025-5284: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumActions
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.